Let's Encrypt rolls out free security certs for IP addresses
- Reference: 1751528046
- News link: https://www.theregister.co.uk/2025/07/03/lets_encrypt_rolls_out_free/
- Source link:
It's not the first CA to do so. PositiveSSL, Sectigo, and GeoTrust all offer TLS/SSL certificates for use with IP addresses, at prices ranging from [1]$40 to $90 or so annually . But Let's Encrypt does so at no cost.
For those with a static IP address who want to host a website, an IP address certificate provides a way to offer visitors a secure connection with that numeric identifier while avoiding the nominal expense of a domain name.
Why would one want 1.1.1.1?
Generally, web users visit websites by entering domain names, like theregister.com, into their browser. The browser checks with the domain name system (DNS) to map the text-based name to a numeric IP address, then tries to connect to the associated site.
Entering theregister.com's IPv4 address (104.18.4.22) directly into the browser's address bar produces an error. But if we acquired an IP address certificate and configured our servers properly, readers could visit using only the numeric address. Cloudflare does this with its 1.1.1.1 IP address, which should redirect to https://one.one.one.one if a user entered only the dotted quad into a browser.
[2]
There's no compelling reason to use IP addresses to find websites, and some good reasons not to do so. For example, DNS names remain when website operates change backends – the name can simply be pointed to another IP address. If web visitors associate a site with a specific IP number, backend changes might require an HTTP redirect rule that routes visitors from the old to the new IP address, which has the potential to negatively impact load times and search engine optimization.
[3]
[4]
Another reason to favor domain names over IP addresses, explains Aaron Gable, principal engineer at Let's Encrypt, in a [5]blog post , is that IP addresses commonly change – they're often dynamically allocated by ISPs to residential internet customers and thus may vary between sessions. Although this doesn't affect web sites, it means people don't have the same sense of ownership with regard to numeric IP addresses.
[6]Psylo browser tries to obscure digital fingerprints by giving every tab its own IP address
[7]Typhoon-like gang slinging TLS certificate 'signed' by the Los Angeles Police Department
[8]Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps
[9]Supply chain attack hits Chrome extensions, could expose millions
Domain names also have established arbitration rules, the Uniform Domain Name Dispute Resolution Policy ( [10]UDRP ). Disagreements over IP address rights can get very messy.
Those caveats aside, IP certificates have been a requested feature [11]at least since 2017 and Gable sees several potential scenarios when an IP address certificate might be warranted.
First, a hosting provider might want one to provide a default landing page in case someone types the company's IP address into a browser, as Cloudflare has done with 1.1.1.1 and Google has done with 8.8.8.8.
[12]
Or a web publisher might want to provide a way to connect securely to a website without paying for a domain name, which generally runs [13]between $10 and $50 annually , depending on the domain name registrar.
Gable also suggests that servers supporting the hyper-secure DNS over HTTPS (DoH) protocol might benefit from an IP address certificate.
Other potential uses include providing secure remote access to certain home devices like network-attached storage servers (already doable with tunneling tech like WireGuard or Tailscale), and securing short-lived connections for server administration or interconnection.
[14]
Why short-lived? Because rapid cert expiration [15]will become the industry norm in a few years, as the technique reduces the potential for damage if attackers use fake certificates. The downside of this fraud defense is the need to automate the certificate renewal process using [16]an ACME client like Certbot .
Let's Encrypt limits the lifespan of its IP address certificate to six days, a period it adopted for other short-lived certificates earlier this year [17]as a security measure .
According to Gable, IP address certificates are now available in Let's Encrypt's [18]Staging environment and will become generally available later this year. ®
Get our [19]Tech Resources
[1] https://www.geocerts.com/ip-address-for-ssl-certificates
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aGZUqF889TeecXgYWLNXvQAAA0U&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGZUqF889TeecXgYWLNXvQAAA0U&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGZUqF889TeecXgYWLNXvQAAA0U&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
[6] https://www.theregister.com/2025/06/24/psylo_browser_privacy_tab_silos/
[7] https://www.theregister.com/2025/06/23/lapdog_orb_network_attack_campaign/
[8] https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/
[9] https://www.theregister.com/2025/01/22/supply_chain_attack_chrome_extension/
[10] https://www.wipo.int/amc/en/domains/guide/
[11] https://github.com/letsencrypt/boulder/issues/2706
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGZUqF889TeecXgYWLNXvQAAA0U&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.networksolutions.com/blog/how-much-does-domain-name-cost/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGZUqF889TeecXgYWLNXvQAAA0U&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2025/04/14/ssl_tls_certificates/
[16] https://letsencrypt.org/docs/client-options/
[17] https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/
[18] https://letsencrypt.org/docs/staging-environment/
[19] https://whitepapers.theregister.com/
Re: "which has the potential to negatively impact [..] search engine optimization"
Can I have one for 127.0.0.1
I definitely own it.
why are we using dns?!!
the dents i've made in the office wall when trying to explain to developers & devops guys...
PLEASE don't hard code ip addresses in your scripts
no i can't give the new servers the same ip address as the old servers & run them in parallel while we migrate
No i'm not going to edit your scripts for you & no im NOT going to wait until you've had a training course before doing the migration
Re: why are we using dns?!!
Give tham an isolated bit of network to play with. Then add a second DHCP server to it and let them figure it out.
Re: why are we using dns?!!
I see the mistake you've made.
You've used your own head to make those dents in the office wall.
You need to use the dev guys' heads to make those dents. Go for the biggest one out of the group. Once the rest see what happens they'll fall in to line.
Follow me for more IT management by hand grenade tips.
Re: why are we using dns?!!
Flag that one up early to the PM as a project risk. Then flag it as a security risk and let the resident hot head from security raise hell. Let the PM and security deal with it. Meanwhile go about the business of surfing El Reg while the Devs sweat bullets.
If, and only if, Devs come back with a story about a brain dead piece of hardware or software can't deal with hostnames, time to make bank in asking for shiny new kit to handle the upgrade process. Gold plate it. Go nuts.
"the dents i've made in the office wall when trying to explain to developers" ...
Hopefully using the thick skulls of said developers and devoperatives and not your fist for this mural dentistry. ;)
It's the idea of abstraction that requires forcible cranial insertion. These dropkicks typically don't use virtual memory address when programming but symbolic abstractions (identifiers ~ names) for their programs' objects (variables, procedures etc); one would imagine that no great conceptual leap is required to understand that IP addresses (or indeed even hardware addresses) and server names bear the same relationship.
If what something does is only contingently related to how it does it (that is it could be implemented differently) at least one level of abstraction (typically indirection) is indicated.
In this particular context a naming service would be required which might be DNS but in some environments might be LDAP or NIS or heaven forbid NIS+ and I don't doubt quite a few more truly obscure ones. With the abstraction of the name service switch found in most *ixes you can also mix and match services. ;)
I don't suppose LE will be issuing wild card certs for IP addresses even if such things were possible..
Cleanfeed ?
Would this break the UKs silent firewall of Britain ?
https://en.wikipedia.org/wiki/Cleanfeed_(content_blocking_system)
?
"which has the potential to negatively impact [..] search engine optimization"
Oh my, Google is going to have trouble finding its little money makers ?
Well, we can't have that , now can we ?